Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XI - Issue #63

August 11, 2009

(1) V2.1 To Be Released This Week
On Friday of this week Version 2.1 of the 20 Critical Controls for Effective Cyber Defense will be published at the CSIS site. This update reflects input from more than 100 organizations that reviewed the initial draft and contains the mapping of the 20 Critical Controls to revised NIST 800-53 controls requested by NIST.

(2) Search for Effective Automation Tools Begins
This release also signals the launch of the search for tools that automate one or more of the controls. The authors have already received seven submissions from vendors that believe their tools provide effective automation for the implementation and continuous monitoring
of several controls. The new search will last until August 31. Any user that has automated elements of the 20 Critical Controls and any vendors that have tools that automate those controls, should send submission to cag@sans.org before August 31. Those that are demonstrated to actually work will be posted and may be included in the first National Summit on Planning and Implementing the 20 Critical Controls to be held at the Reagan Center in November. If you are wondering whether your tools meet
the needs, you can find a draft at

TOP OF THE NEWS

US-CERT Director Resigns (August 8 & 10, 2009)

The director of the Department of Homeland Security's (DHS) US Computer Emergency Readiness Team (US-CERT) has resigned. Mischel Kwon was the fourth person to hold that position in the last five years. Last week, acting National Cyber Security Coordinator Melissa Hathaway stepped down, withdrawing her name from the list of potential candidates for the full time post. The position was announced months ago and has yet to be filled. Earlier this year, Rob Beckstrom resigned as head of the DHS National Cyber Security Center, citing a lack of funding and bickering over control with other agencies. -http://www.washingtonpost.com/wp-dyn/content/article/2009/08/07/AR2009080702805_pf.html-http://www.theregister.co.uk/2009/08/10/us_cert_boss_quits/-http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=219100611-http://fcw.com/Articles/2009/08/10/Web-Kwon-Resignation-USCERT.aspx-http://blogs.usatoday.com/ondeadline/2009/08/head-of-us-computeremergency-agency-quits.html[Editor's Note (Schultz): This says a lot about the barriers and negative job conditions that cyber security professionals within the US government face. Note also that this is not the first time that notable cyber security professionals within the government have bailed. (Paller): Ms. Kwon's leaving is not a big national policy issue - it simply reflects her frustration with weak personnel that the last Administration placed at DHS and the bad performance that ensued. The new managers in cyber at DHS (Reitinger, McConnell, Schaffer, Brown, Coose) are enormously better, good enough to make a big difference in cybersecurity in government. And once they enable the government to lead by example, they are good enough to make a difference in the rest of the critical infrastructure with or without a White House cyber czar. But Mischel's patience with ineffective people in the lower level management roles and legal positions had run out. She was the best thing that had happened to DHS in years. Very sad. ]

THE REST OF THE WEEK'S NEWS

Luis Robert Altamarino has been arrested and indicted for allegedly breaking into his former employer's computer network and causing damage that took days to remedy. The intrusion occurred a year after Altamarino was let go from his position as a computer specialist at the United Way Miami-Dade County. He allegedly gained access to the organization's servers and deleted donor lists, email and the blackberry account management system. He also allegedly caused problems with the organization's analog phone system, rendering voicemail inaccessible. Altamarino had worked for the United Way for five months starting in July 2007. The incident illustrates the importance of revoking access privileges as soon as employees are terminated. -http://www.theregister.co.uk/2009/08/07/it_admin_christmas_eve_rampage/-http://news.softpedia.com/news/Former-IT-Specialist-Hacks-into-Charity-039-s-Network-118711.shtml-http://www.usdoj.gov/usao/fls/PressReleases/090806-01.html[Editor's Note (Weatherford): De-provisioning users is one of the most important things an organization can do yet it continues to be one of those things people simply don't think is important enough...until they become a victim. ]

In contrast to recent news that the US military is considering restricting or even banning social networking media altogether, the UK's Defense Ministry is encouraging its troops to make use of Twitter, Facebook, YouTube and other similar services. Troops and civilian employees may post to the sites without authorization as long as they follow guidelines to "maintain personal information and operational security and be careful about the information they share online." -http://www.nextgov.com/nextgov/ng_20090807_7858.php?oref=topnews

Secret, Stubborn Cookies (August 10, 2009)

Researchers from the University of California, Berkeley have reported that more than half of the Internet's websites are using Adobe Flash cookies to track users' behavior and interests, but these cookies are mentioned in just four privacy policies, though other suites mention the use of "tracking technology." Flash cookies differ from regular cookies because they are unaffected by browser privacy controls. Flash cookies are even being used to re-establish cookies for users after those users delete the more familiar cookies. The researchers' report was submitted earlier this week as a comment on the deferral government's proposal to re-establish the use of cookies on federal websites (see following story). -http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-think-again/-http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1446862

ACLU Concerned About Proposed Increase of Cookie Use on Government Sites (August 10, 2009)

The American Civil Liberties Union (ACLU) is concerned about a proposal from the White House Office of Management and Budget (OMB) to allow broader use of cookies on government web sites. A policy established in 2000 allows limited use of cookies on government sites, in cases of "compelling need." In a blog entry posted late last month, US Federal CIO Vivek Kundra and the OMB proposed a new cookie policy to "create a more open and innovative government." The ACLU has posted comments to the suggestion, saying that "the implications of allowing the government to collect and store such information are staggering." -http://www.computerworld.com/s/article/9136471/Potential_gov_t_cookie_policy_change_prompts_concerns-http://blog.ostp.gov/2009/07/24/cookiepolicy/

A survey of 100 information security specialists at US energy companies found that the majority believe that the cyber security standards established by the North American Electric Reliability Corp (NERC) are not adequate to protect the country's electric power grid. More than half of those responding to the survey said they handle at least 150 serious attacks every week; two-thirds of respondents said they deal with at least 75 intrusions every week. Every respondent agreed that simply being in compliance with NERC regulations does not ensure that their systems are secure. However, respondents said that having compliance requirements helps make their departments' needs visible to senior management and helps generate funding for their budgets. -http://www.scmagazineus.com/Energy-companies-say-NERC-standards-inadequate/article/141224/?DCMP=EMC-SCUS_Newswire[Editor's Note (Schultz): The same issue that has plagued the PCI-DSS standard has surfaced in the case of the NERC standards. The question is not whether the standards mandate strong levels of security, so strong that systems and networks that conform to them could repel virtually any attack. Requiring such levels would foster open rebellion because of the high costs involved in achieving compliance. The real question is instead whether standards prescribe acceptable levels of security that result in sufficient controls that mitigate most identified risks. ]

Sketpics Refute Beck's Allegation That Connecting To Cars.Gov Site Gives US Government The Right To Seize Computer (August 10, 2009)

Sandia to Launch Research Botnet (August 9 & 10, 2009)

Later this year, the US Department of Energy's Sandia National Laboratories plans to launch a simulated botnet comprising one million virtual machines. The botnet will not be used maliciously; instead, researchers hope to gain insight into botnet behavior and also into how to manage large systems. -http://blogs.zdnet.com/emergingtech/?p=1706-http://gcn.com/Articles/2009/08/10/Sandia-Botnet.aspx********************************************************************** The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/